Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring secure remote access to ASA

We have IPSEC access to the ASA. The users authenticate using username and password. HTTPS has also been enabled on the ASA. We would like to limit remote management access to the ASA.

1)Are the following configurations accurate?

hostname(config)#ssh 192.x.x.202 255.255.255.0 inside

hostname(config)#ssh 207.x.x.204 255.255.255.240 outside

hostname(config)#http 192.x.x.202 255.255.255.0 inside

hostname(config)#http 207.x.x.202 255.255.255.240 outside

2.Is the enable password the only key feature that keeps remote access users from the management console(s) of the ASA?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Configuring secure remote access to ASA

Said

I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.

What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.

Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).

HTH

Rick

6 REPLIES

Re: Configuring secure remote access to ASA

Hi Said,

1) Yes, these commands are correct assuming the addresses and subnet masks you list indicate addresses you want to allow management access to.

2) No, you can also configure individual accounts for your users who need management access. You can create a user with the following command:

hostname(config)# user password privilege

As you can see, you can set privilege levels for each user to determine how much access they are allowed to have. For example, a user with privilege level 15 has full access. A user with level 5 has read-only access and so on. You can achieve a high amount of granularity here as well by specifying which accounts certain privilege levels are able to access (see 'privilege' command reference below).

Once you have your user accounts configured, you simply need to configure the ASA to authenticate management access with the local user account database:

hostname(config)# aaa authentication ssh console LOCAL

hostname(config)# aaa authentication http console LOCAL

Here are some links that describe these commands also:

username:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/uz_72.html#wp1410096

aaa authentication console:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437931

privilege:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1732123

Hope that helps.

-Mike

Hall of Fame Super Silver

Re: Configuring secure remote access to ASA

Mike

I am not sure that we can say that these commands are really correct until we get a better understanding of what Said is really trying to do. He is specifying two addresses that look like host addresses:

192.x.x.202

207.x.x.204

but he is specifying them with subnet masks (and the addresses specified are not the base subnet address for either of the masks)

192.x.x.202 255.255.255.0

207.x.x.204 255.255.255.240

So if Said can clarify what he really wants the restriction to be (is it the specific host or is it the whole subnet, or what) then we are in a better position to say whether the commands are ok or not.

HTH

Rick

New Member

Re: Configuring secure remote access to ASA

Rick,

I made up the hosts IPs for security for this question. We want to lock access to remote management of the ASA and the router. My question was how to restrict remote and internal management to specific hosts. If you can assist on the router as well, I would appreciate it.

Thanks.

Said

New Member

Re: Configuring secure remote access to ASA

Will the command "no ssh 0.0.0.0 0.0.0.0 outside" allow VPN client users access to network resources? We want to disable management of the networking devices from outside of the network, yet allow access to network resources by VPN Client users.

Thanks.

Hall of Fame Super Silver

Re: Configuring secure remote access to ASA

Said

I believe that there may be some syntax issues in what you are suggesting. If you do enter the command:no ssh 0.0.0.0 0.0.0.0 outside what it would do would be to look for the command:ssh 0.0.0.0 0.0.0.0 outside and if it found the command it would remove the command.

What you are trying to accomplish is to prevent SSH access through the outside interface. To do that just be sure that there is no SSH command that uses the outside parameter. I do not believe that there is any single command that says do not allow any SSH access through the outside interface.

Whether you have enabled SSH on the outside interface or not has no impact on VPN users access to network resources (other than the ASA).

HTH

Rick

New Member

Re: Configuring secure remote access to ASA

Rick,

The question applies to HTTPS and SSH. Guidance/config for 1. totally locking remote management from outside of the LAN, 2. enabling specific IPs from outside, 3. specific LAN IPs would be appreciated.Thanks.

Said

169
Views
5
Helpful
6
Replies
CreatePlease to create content